7.3. Generating a Trusted CA

. Problem

You want to generate SSL keys that browsers will accept without a warning message.

. Solution

Issue the following commands:

% CA.pl -newca
% CA.pl -newreq
% CA.pl -signreq
% CA.pl -pkcs12

. Discussion

Recipe 7.2 discusses the lengthy steps that are required to create keys and sign them. Fortunately, OpenSSL comes with a script to automate much of this process, so that you don't have to remember all of those arguments. This script, called CA.pl, is located where your SSL libraries are installed, for example, /usr/share/ssl/misc/CA.pl.

The lines in the Solution hide a certain amount of detail, as you will be asked a number of questions in the process of creating the key and the certificate. Note also that you will probably need to be in the directory where this script lives to get successful results from this recipe.

If you want to omit the passphrase on the certificate so that you don't have to provide the passphrase each time you start up the server, use -newreq-nodes rather than -newreq when generating the certificate request.

After running this sequence of commands, you can generate more certificates by repeating the -newreq and -signreq commands.

Having run these commands, you will have generated a number of files. The file newcert.pem is the file you specify in your SSLCertificateFile directive, the file newreq.pem is your SSLCertificateKeyFile, and the file demoCA/cacert.pem is the CA certificate file, which will need to be imported into your users' browsers (for some browsers) so that they can automatically trust certificates signed by this CA. And, finally, newcert.p12 serves the same purpose as demoCA/cacert.pem for certain other browsers.

. See Also